Snort mailing list archives
Configuring Snort to work with Pytbull
From: "Sarfraz Saddiq" <safs () email com>
Date: Tue, 22 May 2018 12:43:28 +0100
Hi, I am new to Snort, and I was wondering if you could help me as I just cannot figure it out!! I am trying to test Snort by using Pytbull to deliver various attacking payloads but whenever I load up pytbull it says: ***ERROR: FTP Error, 550 Failed to open file. Check your configuration (section FTP in config.cfg). Also check privileges on remote host. I do have ftp access on the Snort machine and can access it no problem. This is the config snippet from Pytbull: db = data/pytbull.db urlpdf = https://github.com/sebastiendamaye/public/raw/master/infected/ pdfdir = pdf/malicious pcapdir = pcap tempfile = /tmp/pytbull.tmp alertsfile = /var/log/snort/alert #alertsfile = /var/log/suricata/fast.log [ENV] sudo = /usr/bin/sudo nmap = /usr/bin/nmap nikto = /usr/share/golismero/tools/nikto/nikto.pl niktoconf = /usr/share/golismero/tools/nikto/nikto.conf hping3 = /usr/sbin/hping3 tcpreplay = /usr/bin/tcpreplay ab = /usr/bin/ab ping = /bin/ping ncrack = /usr/bin/ncrack ncrackusers = /opt/pytbull/data/ncrack-users.txt ncrackpasswords = /opt/pytbull/data/ncrack-passwords.txt localhost = 127.0.0.1 [FTP] ftpproto = ftp ftpport = 21 ftpuser = saffy ftppasswd = toor And this is the config from Snort: --------------------------------------------------------------------------- -- Snort++ configuration --------------------------------------------------------------------------- -- there are over 200 modules available to tune your policy. -- many can be used with defaults w/o any explicit configuration. -- use this conf as a template for your specific configuration. -- 1. configure environment -- 2. configure defaults -- 3. configure inspection -- 4. configure bindings -- 5. configure performance -- 6. configure detection -- 7. configure filters -- 8. configure outputs --------------------------------------------------------------------------- -- 1. configure environment --------------------------------------------------------------------------- -- given: -- export DIR=/install/path -- configure --prefix=$DIR -- make install -- then: -- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\; -- export SNORT_LUA_PATH=$DIR/etc/snort -- this depends on LUA_PATH -- used to load this conf into Snort require('snort_config') -- this depends on SNORT_LUA_PATH -- where to find other config files conf_dir = os.getenv('SNORT_LUA_PATH') if ( not conf_dir ) then conf_dir = '.' end --------------------------------------------------------------------------- -- 2. configure defaults --------------------------------------------------------------------------- -- HOME_NET and EXTERNAL_NET must be set now -- setup the network addresses you are protecting HOME_NET = 'any' -- set up the external network addresses. -- (leave as "any" in most situations) EXTERNAL_NET = 'any' dofile(conf_dir .. '/snort_defaults.lua') dofile(conf_dir .. '/file_magic.lua') --------------------------------------------------------------------------- -- 3. configure inspection --------------------------------------------------------------------------- -- mod = { } uses internal defaults -- you can see them with snort --help-module mod -- mod = default_mod uses external defaults -- you can see them in snort_defaults.lua -- the following are quite capable with defaults: stream = { } stream_ip = { } stream_icmp = { } stream_tcp = { } stream_udp = { } stream_user = { } stream_file = { } arp_spoof = { } back_orifice = { } dnp3 = { } dns = { } http_inspect = { } http2_inspect = { } imap = { } modbus = { } normalizer = { } pop = { } rpc_decode = { } sip = { } ssh = { } ssl = { } telnet = { } dce_smb = { } dce_tcp = { } dce_udp = { } dce_http_proxy = { } dce_http_server = { } -- see snort_defaults.lua for default_* gtp_inspect = default_gtp port_scan = default_med_port_scan smtp = default_smtp ftp_server = default_ftp_server ftp_client = { } ftp_data = { } -- see file_magic.lua for file id rules file_id = { file_rules = file_magic } -- the following require additional configuration to be fully effective: appid = { -- appid requires this to use appids in rules -- app_detector_dir = '/opt/snort/lib', } --[[ reputation = { -- configure one or both of these, then uncomment reputation --blacklist = 'blacklist file name with ip lists' --whitelist = 'whitelist file name with ip lists' } --]] --------------------------------------------------------------------------- -- 4. configure bindings --------------------------------------------------------------------------- wizard = default_wizard binder = { -- port bindings required for protocols without wizard support { when = { proto = 'udp', ports = '53' }, use = { type = 'dns' } }, { when = { proto = 'tcp', ports = '111' }, use = { type = 'rpc_decode' } }, { when = { proto = 'tcp', ports = '502' }, use = { type = 'modbus' } }, { when = { proto = 'tcp', ports = '2123 2152 3386' }, use = { type = 'gtp' } }, { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } }, { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } }, { when = { service = 'netbios-ssn' }, use = { type = 'dce_smb' } }, { when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } }, { when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } }, { when = { service = 'dnp3' }, use = { type = 'dnp3' } }, { when = { service = 'dns' }, use = { type = 'dns' } }, { when = { service = 'ftp' }, use = { type = 'ftp_server' } }, { when = { service = 'ftp-data' }, use = { type = 'ftp_data' } }, { when = { service = 'gtp' }, use = { type = 'gtp_inspect' } }, { when = { service = 'imap' }, use = { type = 'imap' } }, { when = { service = 'http' }, use = { type = 'http_inspect' } }, { when = { service = 'http2' }, use = { type = 'http2_inspect' } }, { when = { service = 'modbus' }, use = { type = 'modbus' } }, { when = { service = 'pop3' }, use = { type = 'pop' } }, { when = { service = 'ssh' }, use = { type = 'ssh' } }, { when = { service = 'sip' }, use = { type = 'sip' } }, { when = { service = 'smtp' }, use = { type = 'smtp' } }, { when = { service = 'ssl' }, use = { type = 'ssl' } }, { when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } }, { when = { service = 'telnet' }, use = { type = 'telnet' } }, { use = { type = 'wizard' } } } --------------------------------------------------------------------------- -- 5. configure performance --------------------------------------------------------------------------- -- use latency to monitor / enforce packet and rule thresholds latency = { packet = { max_time = 1500 }, rule = { max_time = 200 }, } -- use these to capture perf data for analysis and tuning --profiler = { } --perf_monitor = { } --------------------------------------------------------------------------- -- 6. configure detection --------------------------------------------------------------------------- references = default_references classifications = default_classifications ips = { -- use this to enable decoder and inspector alerts enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files --include = 'snort3_community.rules' } -- use these to configure additional rule actions -- react = { } -- reject = { } -- rewrite = { } --------------------------------------------------------------------------- -- 7. configure filters --------------------------------------------------------------------------- -- below are examples of filters -- each table is a list of records --[[ suppress = { -- don't want to any of see these { gid = 1, sid = 1 }, -- don't want to see these for a given server { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' }, } --]] --[[ event_filter = { -- reduce the number of events logged for some rules { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 }, { gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 }, } --]] --[[ rate_filter = { -- alert on connection attempts from clients in SOME_NET { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1, new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' }, -- alert on connections to servers over threshold { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3, new_action = 'alert', timeout = 1 }, } --]] --------------------------------------------------------------------------- -- 8. configure outputs --------------------------------------------------------------------------- -- event logging -- you can enable with defaults from the command line with -A <alert_type> -- uncomment below to set non-default configs --alert_csv = { } --alert_fast = { } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { } --unified2 = { } -- packet logging -- you can enable with defaults from the command line with -L <log_type> --log_codecs = { } --log_hext = { } --log_pcap = { } -- additional logs --packet_capture = { } --file_log = { } This is the command I am using to start Snort: sudo /opt/snort/bin/snort -A alert_full -i enp0s3 -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/snort3-community.rules -s 65535 -k none -l /var/log/snort -L log_pcap I am running snort v3.0 Any help would be greatly appreciated. Kindest Regards Saffy
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Configuring Snort to work with Pytbull Sarfraz Saddiq (May 22)